Wanted: A New, Soft Set of Skills for Internal Auditors

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.



Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




What I described in my previous posts, here, here and here, is a new kind of internal auditor – a well-connected and socially savvy strategist equally capable of understanding and explaining complex analytics and of winning the right to be heard. So what are the characteristics and traits that this kind of internal auditor will need to possess to be successful?

This is a topic we will revisit over the next 18 months or so, as we pore over the mountain of information we’ve gathered in the CBOK Stakeholder Survey. It is critically important, because while the basics of a financial and accounting background remain fundamental to our mission of assurance, it will be our success as communicators that will drive our transformation, as a profession, into the trusted advisers we aspire to be.

Think of the chief audit executives you know. What made them valuable contributors? Communication? Flexibility? Adaptiveness? Are those characteristics that you would normally use to describe yourself or members of your team? If you are a director or senior executive reading this, are these characteristics that describe your chief auditor?

The traditional education gained coming up through an audit, finance, IT or accounting  background remains pertinent, but what about those other skills, especially the ability to communicate? What does that mean? Think about the effective communicators whom you’ve seen interact with the C-suite. What makes them successful? First, they listen and, second, they ask focused questions to discover the real issues and problems that merit solving. They are able to get to the point quickly and articulate complex issues and relevant ideas and solutions in a way others can understand. That makes them relevant. To top it off, they likely have a very good notion about when to speak up, picking up on non-verbal cues as necessary.

Augmenting the communications side, today’s internal auditor needs to be flexible and agile enough to be comfortable with change. As an auditor, how dynamic is your audit plan? Are you willing to take things off and redirect your focus when a major unusual transaction or event occurs?  What happens when management decides to circle the wagons when a major supply chain disruption occurs, or a significant product recall? Are you engaged with management and the board to take into consideration these types of situations?

As I mentioned before, we, as the internal audit function, can help give a common language to assist in guiding the organization, both the business leaders and the board, around this conversation. Boards want to understand what’s going on. Because of the direct reporting relationship of  auditors to boards of directors, they can be that liaison who reports and provides information going forward.

And that wraps up my recap of the 2016 CBOK Survey. I look forward to hearing about all the ways you are evolving your internal audit function, developing and strengthening stakeholder relationships. To access the webinar discussion, click here and sign in to view the archived version.

Prioritizing Risks and Demonstrating Strategic Risk Savvy

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




In my last post, I argued that internal auditors should go beyond assurance to serve as strategic advisers to executive management and directors.

This begs the question: Which risks do we focus on? CBOK survey respondents were adamant that they want to see internal audit more directly involved in advising on strategic risks – more than half said so. What they didn’t say is that they want internal auditors to take their eyes off the operational, financial and compliance risks. It’s just that strategic risks are the focus of both senior management and the board, and so it makes sense that, as the internal audit function aligns with the needs of these key constituents, it includes strategic risks in its line of sight.

Traditionally, auditors have done a good job analyzing financial risks. Recent years have seen the move into operational and compliance risk assurance as well. Compliance is a very hot topic with serious reputational underpinnings, so, unsurprisingly, there is a resounding affirmative that we need to continue to respond to that. Where there’s room for growth is in the strategic risk arena: If a company is going through a large ERP implementation, for example, the internal audit function can best add value and demonstrate its understanding of strategic risks by serving in a proactive consultative capacity to the project planning committee.

Not only are stakeholders expecting internal auditors to weigh in on a broader variety of risks, but they are increasingly looking for more timely and, sometimes, even real-time feedback. Audit plans need to be dynamic and audit processes agile enough to adapt on the fly to changes in the risk landscape.

That means that audit tools need to be equally agile. We’re seeing an increased demand for data analytics. A lot of great tools have come out in recent years that enable auditors to mine and report on entire data sets, instead of testing limited samples.

Internal audit’s role in identifying and analyzing risk has become a corporate imperative, even at companies with a separate risk management infrastructure, such as a chief risk officer or chief privacy officer. The difference between these “chiefs” and the chief audit executive (CAE) is that, in most organizations, the CAE reports to the board but also has more frequent face time with directors. This underscores how critical it is for the internal audit function to demonstrate an understanding of strategic risk and be an engaged, familiar face around the company, particularly with its leaders.

So how do we do that? We knock on executives’ doors, ask questions about the company’s direction, inquire about new markets and products, stay curious and informed, and connect the information received from different sources so that executives trust our “big picture” acumen and intuition and engage in this conversation with us. This, in turn, gets us invited more often to the table.

Relationships are key, and I will pick up the topic in my next post. You can access our April 6 webinar here.

Is Your Company Private? The SEC Still Has Advice for You.

Steve HobbsBy Steve Hobbs
Managing Director, Public Company Transformation




At Protiviti, we routinely counsel private companies that a good governance and control structure is a sound business strategy for any company, and particularly for fast-growth companies with outside investors. If you don’t believe us, just ask the Securities and Exchange Commission (SEC).

Recently, SEC chair Mary Jo White gave a speech at Stanford University, directly addressing private companies. “Being a private company comes with serious obligations to investors and the markets,” White said. “For the new and evolving markets to be successful, all investors need confidence that they are being treated fairly and that the full range of risks are transparently disclosed.”

She went on to say, “Some of the principles that characterize public companies – transparency with investors, controls on financial reporting, strong corporate governance – have applicability and relevance to private companies, especially those pre-IPO companies that aspire to go public, and should not be overlooked or avoided, whether or not mandated by federal law or a SEC regulation.”

So, what are those pre-IPO “musts” that private companies should do now to create good governance and control structure? It comes down to two key pieces of advice:

  • Start early. Understanding the timeline of events and transformation in an IPO process is key. We recommend certain tasks be done prior to an IPO. Such tasks include evaluating the internal control and governance environments and identifying areas of risk as well as areas for improvement.
  • Know the potential issues before they arise. There are a number of issues that companies typically face during the first year of being public. If you plan properly, you can address most of these issues prior to the IPO, and then identify and address the rest as they evolve. Examples include lack of internal buy-in or understanding of the importance of proper controls, minimally documented policies and procedures, and internal control gaps.

Finally, I blogged not long ago about our latest Guide to Public Company Transformation. It contains a wealth of information, in a helpful Q&A format. It’s a good way to take care of the second point I make here – knowing the issues. The early start, that’s up to you.

Going Beyond Assurance

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.


Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




In my last post, I gave a high-level summary of the North American results of the The IIA’s 2016 CBOK Stakeholder Study, as presented in an April 6th webinar I hosted. This installment looks beyond the traditional role of assurance to explore ways internal audit departments can effectively serve as strategic advisers to senior management and the board of directors and help identify new and emerging risks.

Every day in the media there’s news of some new or emerging risk, such as new digital advances, changing demographics and geopolitical events. COSO will be releasing an enterprise risk management (ERM) standard in June, which makes it timely for us to ask, “How does an organization look at enterprise risk? How does risk manifest itself within the organization?”

I see an opportunity for internal auditors to facilitate that discussion and monitor for new risks and advise on how they should be managed. This role is clearly within the realm of the internal auditor’s scope and influence, as laid out by The IIA in its definition of internal auditing. It makes sense because the internal auditor is a person who has a broader view of risk than anyone in the organization. Internal audit is one of the few functions that’s not siloed and has a view across all the pillars within the enterprise, from IT to operations and finance. So the opportunity is right there in front of the profession.

Identifying corporate risks and applying risk management frameworks is an important role for internal audit to play because it establishes the nomenclature by which companies communicate about risk and sets the foundational elements of internal control and effective risk management. We, as internal audit professionals, can help provide a common language and a process to assist and guide the organization, both its business leaders and the board, around this conversation.

Looking at the feedback from the CBOK survey, I see a clear acknowledgment that we can, and are, in fact, expected to do just that.

Every audit committee that I sit in and board members I talk to want to have the discussion about the internal auditor’s role in identifying known and emerging risks. It’s not satisfactory just to go through the basic blocking and tackling. We need to be asking: What don’t we know? What are the emerging risks? Which of these risks should we be addressing?

Some of the hot topics in recent weeks have been major merger announcements in the hotel and airline industries. Is there a space for internal audit in those types of transitions? I think the answer is a resounding “yes.” Boards are hungry to understand how the risks change during major transformations. Because of the direct reporting relationships of internal auditors to the boards of directors, we can help be that liaison to report and provide insightful risk information going forward.

We often talk about the value of internal audit’s work. We all recognize that it’s not enough in this day and age to just go through the motions, check the boxes, and declare the job done. We need to explore and understand: How do we help our business improve? We need to be involved in enterprise projects, a large ERP implementation, for example, from the beginning in order to identify risk and ensure it is managed proactively – not come in at the end to assess it. We should be providing consultative services around the control environment – not taking management responsibility, but providing real-time feedback on important initiatives for the organization that managers on the firing line can use. It’s an exciting blueprint for the internal audit profession, and we are invited to take an elevated, strategic role in it that I find highly appealing.

So what kind of auditor does it take to play this role, and how can this auditor demonstrate the strategic risk savvy that’s required for it? It’s a question I’ll attempt to answer here next week. I’d love to hear your opinion in the comments, as well.

Relationships and Risks: A Closer Look at the CBOK Survey

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.



Brian ChristensenBy Brian Christensen
Global Leader, Internal Audit and Financial Advisory




I recently had the honor of hosting a webinar with The Institute of Internal Auditors on the 2016 CBOK Stakeholders Study and the evolving role of internal auditors beyond traditional financial assurance. This year’s survey was unique in that it was the first time The IIA partnered with Protiviti on this global study, which included significant input from stakeholders comprised of C-suite executives and board members.

To celebrate Internal Audit Awareness Month, I thought it would be appropriate to take a deep dive into the North American survey results, with additional reports to be released later this year. This installment looks at the overall findings discussed in the April 6th webinar. Subsequent posts will explore some of the more nuanced aspects of the study, focusing not so much on gaps, but on what internal auditors can do to meet, manage or exceed stakeholder expectations.

In the webinar we addressed the four key observations that emerged from the North American results:

  • Internal audit does many things well that could be considered foundational elements of assurance work.
  • There are opportunities for internal audit departments to add value to their organizations by spending more time focusing on risk identification and management, in addition to assurance work.
  • Internal audit should focus more on strategic risks – but exactly what the stakeholders mean by that is less than clear or consistent.
  • Increased demands on internal audit will require CAEs to prioritize competing expectations. Managing these conflicts requires strong relationship and communication skills.

Stakeholders gave internal auditors high marks on the basics, with 80 percent agreeing that their auditors are producing quality work, reliable results, useful recommendations and timely communication.

The question then becomes: What more can audit departments do to ensure that they continue to respond to the emerging needs of their organizations as seen by senior management and the board of directors?

In the study, stakeholders responded that they were most likely to seek advice from the internal audit department to identify known and emerging risks, facilitate and monitor risk management, and develop appropriate risk management frameworks. These results suggest that internal audit and the CAE are perceived as a reservoir of knowledge and insight to be tapped and deployed to improve risk culture and risk management capabilities and inform senior management and the board of up-and-coming risks.

More than half of stakeholder respondents said they want internal audit to be more active in assessing and evaluating strategic risks. However, they expressed low interest in internal audit involvement in new products and initiatives, and in new systems and technologies. This is an interesting finding. I believe that what stakeholders expect of internal audit is to not be distracted by technological novelties and focus instead on specific tools that facilitate the work that matters. Data analytics is increasingly such tool – there is a growing desire to see data utilized to provide relevant and current information about risk. Strategic insights often come from connecting dots to draw new insights. Data analytics can facilitate that.

With stakeholder expectations rising, the questions for internal auditors revolve around priorities: How can internal audit best manage potential jurisdictional and resource conflicts, while also managing stakeholder expectations? The top response from stakeholders, perhaps not surprisingly, was: Talk to us.

Communication is key, and stakeholders are looking to CAEs to initiate and cultivate strong relationships and open lines of communication with executive management and the board of directors to ensure alignment of priorities. Clearly, soft skills should be a priority.

For many of us in the profession, none of this is new, of course. It is instructive, however, to hear it directly from stakeholders.

In my upcoming posts, I will tackle the other key themes of the stakeholder study: moving beyond assurance to address the needs of boards and management, demonstrating understanding of strategic risks, and developing soft skills and relationships. Meanwhile, to access the discussion, click here and sign in to view the archived version of the webinar.

The Panama Papers Leak Helps Bring Third-Party Risk into Focus

Scott Moritz - Protiviti NY 2013 (hi res)By Scott Moritz
Managing Director, Protiviti Forensic




The Panama Papers leak has offered a window into the ugly underside of private banking, trust and estate planning and tax-avoidance strategies. While the revelations about how thieves, kleptocrats, drug lords and the ultra-rich hide their secret wealth make for a most interesting reading, some may struggle to see how the misfortunes of a Panama-based law firm and its well-heeled clients can bear any relevance to corporate compliance. In actuality, much can be learned from the Panama Papers case and applied to corporate compliance programs. Below, I’m going to give you a brief preview of some of the risks that the case has served to reaffirm, and the associated compliance practices that can mitigate the exposure to those risks.

Some would argue that the Panama Papers leak is an “ethical hack” – perhaps the newest oxymoron to become a part of the compliance vernacular. While this may be true, the case demonstrates the increased sophistication of hackers – both in cyber hacks meant to expose crimes and in those meant to commit them. Recent examples evidencing the increased sophistication and power of cyber crime as a weapon include the 2015 hack into several business newswire services holding the not-yet-released earnings of publicly traded companies in the U.S., whereby criminals executed stock trades worth $100 million in advance of the earnings releases; the hacks of millions of U.S. Government top secret clearance applications containing exhaustive personal information on millions of federal employees, presidential appointees and government contractors; and the explosion in business email compromise cases, in which malware is used to penetrate the firewalls of companies, gain access to wire transfer credentials and wire millions directly from the companies’ bank accounts.

The Panama Papers leak highlighted once again how important it is to know your business partners – from knowing who owns the law firm or service provider you are entrusting your most sensitive legal, litigation, tax strategy or wealth management issues to, to understanding whether your sales agent has an undisclosed conflict of interest in the government-owned companies to which he or she is selling your products or services.

Indeed, many of the initial conversations embattled companies have with the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) about potential FCPA violations center on the companies’ knowledge and understanding of their customers and business partners, including the perceived risks that they pose to the company, the classification of these perceived risks, and the enhanced standard of care that the company’s high-risk customers and intermediaries are held to. Companies are expected to be able to answer questions about their third-party partners and customers without hesitation. Those that are unable to readily identify their high-risk customers and business partners in meetings with the DOJ and the SEC will likely be required to develop a plan for addressing these issues and then report back on their progress.

A Resource Guide to the U.S. Foreign Corrupt Practices Act (“the Guide”), jointly released by the Criminal Division of the DOJ and the Enforcement Division of the SEC in November 2012, provides useful information about third-party due diligence, beginning on page 57, in the section titled “Hallmarks of an Effective Compliance Program.”

In essence, the Guide states that while due diligence may and should vary depending upon the degree of risk and other factors, “some guiding principles always apply.” These guiding principles are summarized below:

Qualifications and Associations

Companies should be inquiring about the third-party’s business reputation and relationships, if any, with foreign officials. How long has the third party been in business, and does it have prior experience providing the goods or services it is offering? Equally important considerations include whether other companies were considered for the job, whether there was a competitive bidding process, and whether the company was “recommended” by a foreign official.

Business Rationale

Companies must be able to provide a rationale for hiring the third party, and ensure the third-party contract and payments are commensurate with industry and country standards. Ensure the contract terms specifically describe the goods or services to be provided. The timing of the third party’s introduction to the company must also be justified, or it may call into question the motives and legitimacy of the business rationale. Often, after long pursuit of a business opportunity and perhaps a bureaucratic delay (real or orchestrated), a government official may suggest retaining a consultant to help usher the process along through the bureaucratic processes. The timing of the bureaucratic snarl and the introduction of the consultant could be a way for the foreign official to exact an improper payment through his or her undisclosed ownership and cooperation with the consultant the official is urging you to retain.

Ongoing Monitoring

The Guide suggests that ongoing monitoring may include “updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.” The DOJ and SEC are also interested in whether the company has informed third parties of the compliance program and the company’s commitment to ethical and lawful business practices, and whether it has sought assurances that they, too, are committed to ethical and lawful business practices.

In addition to these three guiding principles, I want to add “Eight Essentials” of a third-party anti-corruption program:

  1. Scope – Determine which of your vendors or service providers should be included in the scope of your third-party anti-corruption program and the criteria on which you base those selections.
  2. Sponsorship – Designate a business sponsor – an internal person responsible for specific third parties included in the scope of your program – who can be held accountable should the relationship prove problematic.
  3. Justification – Have a business rationale for each third party, particularly those that pose heightened corruption risk.
  4. Collection – Collect enough information about the third party, its ownership, history and key personnel to enable you to make risk-based decisions about the party’s suitability to conduct business with your company.
  5. Certification – Share your anti-corruption policy with your third-party partners and obtain their agreement to re-certify to it annually.
  6. Scoring – Use information you’ve collected through various means (questionnaires, watchlists, proprietary databases, etc.) to apply objective risk scoring criteria to each of your third parties and perform investigative due diligence, payment reviews and ongoing monitoring according to the risk score of the party.
  7. Contracts – Ensure that each third party is under contract and that the contracts include language addressing the party’s obligations under your anti-corruption program.
  8. Communication – Through your designated business sponsor, keep third parties informed about the company’s anti-corruption program, training and other issues relevant to them.

I don’t know how far clients of Panama-based Mossack Fonseca followed the recommendations above to ensure the law firm’s business practices and cyber security were commensurate with the value of the entrusted information – clearly, many of them were more interested in the firm’s ability to set up shell companies than ensure the security of the information they were entrusting to the firm. As intriguing as the case is, providing a window into the lives of the ultra-rich and powerful, its real effect should be to cause companies and individuals, high net worth or not, to take careful stock of the third parties to whom they entrust their highly sensitive information, perform appropriate background investigations of them and  scrutinize the ability of the third party to safeguard its clients’ data by using the information security and encryption standards that the clients themselves follow. To this end, companies should be examining not only the third party provider’s expertise, reputation, integrity, historical conduct and qualifications but the specific steps that this provider has taken to ensure that sensitive data is secure, encrypted and not susceptible to either physical theft or exfiltration resulting from a data breach.

Financial Institutions Alert: New Credit Impairment Models Coming Soon

Charlie AndersonBen ShiuBy Charlie Anderson
Managing Director, Model Risk and Capital Management

and Benjamin Shiu
Associate Director, Credit Risk Management


The global financial crisis highlighted a number of weaknesses in the banking systems in the United States and Europe – among them, the way financial firms report their credit losses for loans and other financial instruments. Under existing models, based on Generally Accepted Accounting Principles (GAAP) in the U. S. and the International Financial Reporting Standards (IFRS) in other countries, these losses were reported based on the principle of “incurred loss.” The crisis, however, showed that the incurred loss model recognizes the loss too late. Seven years later, new proposals have been published, and are poised to become standards, that suggest a more forward-looking, “expected loss” approach to recognizing credit losses.

The Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) have developed two separate but similar proposals, both replacing incurred loss with expected loss in their models. Protiviti issued two papers recently, discussing these proposals in some detail: IFRS 9 Impairment – Practical Implications and Impact of the New Current Expected Credit Loss (CECL) Methodology. The timing of the papers was not accidental – the standards will come into force in January 2018, and banks need to start making changes now to meet this date.

Both the IASB and the FASB proposals suggest using the so-called “three-stage impairment model,” which applies credit deterioration thresholds to determine the horizon of the loss forecasting window. However, the approaches differ slightly, and we discuss them below.

IASB’s Three-Stage Impairment Model Under IFRS 9

IASB issued the final version of International Financial Reporting Standard 9 (IFRS 9) in July, 2014. IFRS 9 is set to replace International Accounting Standard (IAS) 39, Financial Instruments: Recognition and Measurement.

Under the new standard’s three-stage model, banks are expected to use two different expected loss windows to determine the credit impairment, depending on the extent of credit deterioration. For assets within Stage 1 (those with little or no deterioration), an organization only needs to recognize lifetime expected losses upon the loss event in the next 12 months. For assets within Stages 2 and 3, an organization needs to recognize the loss through the lifetime period of the assets. Financial assets without significant increase of credit risk should be allocated in Stage 1 and use a 12-month window to generate expected credit loss. If the credit risk of the financial asset has increased significantly and is higher than the judgmental threshold, the financial asset will need to move to Stages 2 and 3, and a lifetime window should be applied to estimate the credit loss. If the credit risk of the asset is lower than the judgmental threshold later, the asset should be moved back to Stage 1 and the 12-month window should be applied again to estimate the loss.

FASB’s Proposed CECL Model under GAAP

FASB issued its proposed Accounting Standard Update (ASU) and set forth the CECL methodology in December, 2012. This model is intended to replace the multiple impairment models that currently exist for debt instruments in U.S. GAAP. The final impairment credit accounting standard and detailed guidelines for the CECL model are expected to be released by the end of the second quarter of 2016. For public companies that meet the definition of a U.S Securities and Exchange Commission (SEC) filer, the upcoming standard will be effective for fiscal years (and interim periods within those fiscal years) beginning after December 15, 2019. Other public companies will be required to apply the guidance for fiscal years beginning after December 15, 2020, including interim periods within those fiscal years.

Unlike IFRS 9, the CECL model requires lifetime loss estimation for all assets since the date of origination. Organizations do not need to determine thresholds to move assets between different buckets or use different windows to estimate the credit loss. The credit loss estimates would always be over a lifetime and never limited to loss expected over a specific period of time.

Comparing the Two Approaches

The main difference between the IFRS 9 and CECL impairment models is the use of thresholds to classify financial assets based on their credit risk. IFRS 9 requires banks to rely on credit deterioration thresholds to determine the window for estimating the loss. CECL requires organizations to estimate the lifetime credit loss of all assets from the time the assets are booked on the balance sheet.

In addition, CECL requires organizations to use the most likely scenario to support the lifetime loss forecasting. This scenario should not be the worst or best one, but management’s best estimation, supported by past and current information and information from the foreseeable future.

Aside from the differences in the model framework and scenario decision process, the two credit impairment approaches are similar in their intent. They both require that expected, and not current, credit losses are estimated, and that the estimate is based on past events, current conditions and reasonable and supportable forecasts about the future. Furthermore, they both reflect the time value of money and require the estimation of collectible cash flows, discounted by the effective interest rate.

Both credit impairment approaches are new to the industry, as well as to regulators. We fully expect practical issues and questions to be raised during the implementation and auditing phases, and further evolution of the guidance is quite likely. That is why banks need to start assessing the implications of these approaches sooner rather than later.

For these reasons, we will continue to monitor and provide updates of the development of these two important proposals. Once again, you can read our take on how the proposed standards are likely to impact your organization here and here.